Developers of the Systemd system manager are currently discussing the issue of reducing dependencies of the LibsySteMD library, which interacts not only with SystemD components but also with numerous external applications. The initiator of the discussion is concerned about the increased attack surface in case of compromising third-party libraries, as seen with the LibLZMA library, which is used by more than 150 packages in Fedora.
Aside from LibLzma and Glibc, Libzstd, LibLZ4, and Libgcrypt libraries are also loaded in Libsystemd, making security maintenance a critical task. LibsyStemd provides access to 12 basic APIs, and the current situation has led to unnecessary loading of libraries when only specific functions are required. A proposal to divide LibsyStemd into separate libraries responsible for individual APIs is being considered to address this issue.
Some developers believe that separating the handlers in LibsyStemd would be a challenging task that could lead to efficiency loss or code duplication. To address memory consumption in LibsyStemd, a recent change was accepted to dynamically load libraries Liblzma, Libzstd, and LibLZ4 only when necessary. A similar change for libgcrypt will be implemented in future issues.
However, this solution has faced criticism for making the connection to external components less obvious and complicating diagnosis. The use of Dlopen() for loading external libraries may hide important details from users and accompanying developers.
Lenart Pottering, a key figure in the Systemd project, has expressed opinions on this ongoing discussion.